Bringing AD from sbs2003 to new 2008 domain Controller

we had a situation where a catastrophic server failure occurred. The original server was an over taxed sbs 2003. It turned out that backups werent very good, resulting in some outside contracted support to get a bandaid in place for access to email and the domain. Details aside, we have a very cobbles sbs2003 running in an unstable environment. The server cannot be restarted because of the standing issues.
The client has agreed to migrating to hosted exchange an a non SBS 2008/2012 domain. If it comes down to it a full domain rebuild is an option, though not preferred.
Is there a semi clean way of pulling AD from the sbs 2003 over to the server 2008, that at no point will require a reboot of the sbs?
Very little is actually needed, the domain name cannot change, user accounts and machine accounts are pretty much all that we are required to migrate. the file permissions, printer shares, etc were already hosed, and those would both have been restructured anyway.
The actual file shares have moved and were remapped (there are all kinds of sync issues from the clients on their user documents, but that can be cleaned up)
The primary goal is to be able to break out of SBS, keep the machines and user accounts authenticating to the domain without having to reset the password or recreate the user accounts or exit and rejoin the domain.
They currently have login scripts mapping network shares to drives, but that should be going away anyway.
The environment ultimately will consists of a domain controller, a secondary domain controller, and one or two application servers, the secondary domain controller may be one of the application servers due to budget restraints on the project.
One of the application servers will house two applications and server no ther purpose beyond the required shares for those applications.
the second application server will house symantec, WSUS, the primary file shares, print shares, and as stated before may also be the secondary domain controller.

the disaster recover process to get to a cobbled state required that many of the services normally running not be running, exchange is limited to local clients, no imap, pop, owa access (its technically not the native version of exchange)

Migrating the email is a different thread all together

Is there a fairly straight forward way to do this from sbs2003 to server 2008?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RB_adcomAuthor Commented:
given the environmet we are in, i am concerned that there will be something that needs to be done on the SBS that the current SBS will not be able to complete due to its current state. following the standard method of migration. we do not feel the system is stable enough to risk installing any patches. windows update should not be pulling updates currently on the SBS so hopefully there is noting in the system putting it in a "pending update state" that would impact the migration, but there is no guarantee of that.

If we were to do an nt backup of the system state, is there a way to directly restore to a server 2008?

DHCP would be nice to bring over, but definitely not a deal breaker. Really all we need is the user and computer accounts, most everything else is antiquated anyway.
Cliff GaliherCommented:
The only way to "bring over" your AD infrastructure is to join the 2008 server to the existing domain, promote it to a DC, and let it replicate. Of course that means making changes to AD, including necessary forest and domain schema updates.

Personally, given the situation you describe, I doubt you have the stability to pull this off. If you are looking to minimize downtime, I'd build the new domain offline and create all of the accounts before doing a transplant. You will obviously still need to disjoin and rejoin the machines to the new domain, and you will have ACL issues with any data shared, but having your domain controller (SBS 2003) go down during an attempted migration and *still* needing to build a new domain from scratch would be even longer.

It is unfortunate, but finding out that backups weren't good is always an unfortunate situation. After all, the whole point of backups is to act as a safety net, so when those are no good and a disaster strikes, there just sometimes is no good answer. Just the least bad.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

SandeshdubeySenior Server EngineerCommented:
You first need to verify the health of current DC.Run dcdiag /q and repadmin /replsum and post the log if error is reported.If the health of DC is not good new DC promotion may fail.

If no error reported as suggested you need to add the Win2008 server as member server and promote the server as DC.

Adding a Server Running Windows Server 2008 to a Windows Small Business Server 2003 Network:

For DHCP migration see this this:
VirastaRUC Tech Consultant Commented:

First question is have for you is that whether you like to migrate from SBS 2003 to Windows 2008 Server or to SBS 2008?

If your plan is to restore the SBS Fuctionality after migrating to 2008 then you should consider this

SBS 2008 Migrations from SBS 2003

Please conform on your Upgrade path you like to take.

Hope that helps :)
RB_adcomAuthor Commented:
we are moving exchange to hosted exchange, eliminating SBS.

It is doubtful this requirement is met:
"Installed update: "Windows Vista and Outlook 2007 compatibility update" (KB 926505). For information about this update, see the Microsoft Web site ("

Since we only updated what was required to patch the system (the restore from the system state brought in a whole shooting match of badness)

 dcdiag /q and repadmin /replsum are just queries, no changes made? (this is a really cobbled solution, the contracted guys were amazed they got it to function at all, and had it not been for the customer request it would have been a rebuilt domain then and there, but thats in the past.

Look at it from this perspective, If I had a system state backup (not concerned one iota about exchange) from the sbs2003 and all I had was a server 2008 r2 machine, lets say the neighbor kid went skeet shooting with the sbs installer disks, and we are in the country with no internet.

Would it be possible, to pull over the user an machine accounts into 2008r2?

Security groups are being restructured, printers are handled, really we just need the existing machines to be able to authenticate to the domain
Cliff GaliherCommented:
"Look at it from this perspective, If I had a system state backup (not concerned one iota about exchange) from the sbs2003 and all I had was a server 2008 r2 machine, lets say the neighbor kid went skeet shooting with the sbs installer disks, and we are in the country with no internet.

Would it be possible, to pull over the user an machine accounts into 2008r2?"

Nope. No need to embellish it. Just. Nope.
RB_adcomAuthor Commented:
final answer in this is that migrating successfully in this environment is slim to none?

Best course of action would be to have a second duplicate DC in place prepared to do a rebuild of the domain.

When it gets to plan B and we recreate the domain, whats going to happen since I have to keep the same domain name, since all SIDs will no longer be valid, when i exit and rejoin the domain, the workstations will see it as a different domain even though the name is the same?
Cliff GaliherCommented:
Correct. If you rebuild the domain, all machines will have to be joined to the new domain even if you keep the same name. And all the user accounts will be new and have new SIDs, so the profiles will be new, custom settings gone, and ACLs on any file storage will need to be reset.
RB_adcomAuthor Commented:
Problematic issue, hard solution to advise a user on.
Ultimately we contracted the work out to Progent and they did exactly what we wanted, but not as a simple task.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.